CVE-2021-39115

Summary

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.

Affected Software

VendorProductVersion RangeStatus
AtlassianJira Service Desk Serverunspecified < 4.13.9affected
AtlassianJira Service Desk Server4.14.0 < unspecifiedaffected
AtlassianJira Service Desk Serverunspecified < 4.18.0affected
AtlassianJira Service Desk Data Centerunspecified < 4.13.9affected
AtlassianJira Service Desk Data Center4.14.0 < unspecifiedaffected
AtlassianJira Service Desk Data Centerunspecified < 4.18.0affected

Weaknesses

  • CWE-96: CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References